Larry "Patch" Trowell

Larry "Patch" Trowell is a Principal Consultant at NetSPI specializing in embedded system security. He has over 15 years of experience designing and securing a variety of embedded and IoT devices, including financial, automotive, and IPTV systems. He has led development and security initiatives for a number of design and Fortune 500 companies. Throughout his career he has championed system security in every step of the product journey, from architectural risk analysis and source code review to penetration testing and security R&D. As principal consultant at NetSPI, Larry is focusing on new ways to improve the security of devices that many of us depend on daily. Larry holds an M.S. in mathematics with an emphasis on artificial intelligence from Georgia Southern University and a B.S. in electrical and computer engineering from Georgia Institute of Technology.
More by Larry "Patch" Trowell
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "105"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "105"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "105"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "105"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "105"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "105"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "105"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "105"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{94f3e05a12ae7f2f52287b1ee180a92b4fbf08da9f5f435d75e0f9715f9c415b}\"105\"{94f3e05a12ae7f2f52287b1ee180a92b4fbf08da9f5f435d75e0f9715f9c415b}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{94f3e05a12ae7f2f52287b1ee180a92b4fbf08da9f5f435d75e0f9715f9c415b}\"105\"{94f3e05a12ae7f2f52287b1ee180a92b4fbf08da9f5f435d75e0f9715f9c415b}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 27953
                    [post_author] => 105
                    [post_date] => 2022-06-21 08:00:00
                    [post_date_gmt] => 2022-06-21 13:00:00
                    [post_content] => 

In recent years, we have witnessed many technological advancements in the automotive industry. From advanced driver assistance systems to connected mobile apps and digital keys, this technology brings convenience to our lives, but with it a new set of risks.  

In an industry where a single mistake can put lives on the line, it’s pertinent that we take a strategic approach to automotive cybersecurity to ensure the functional safety of each vehicle, and related systems and applications, before malicious actors can cause harm. 

Standards such as the ISO 26262-1:2018 and ISO/SAE 21434 were specifically designed to address functional safety and threats to automotive security. For example, the ISO/SAE 21434 features the Threat Assessment and Risk Analysis (TARA). TARA breaks down threats in a system so engineers can calculate the risk of any one component to the entire system and mitigate those threats in the design phase.  

Even so, the technological design of a standard car contains multiple electronic control units (ECUs), with some luxury models containing well over a hundred. Each of these systems could contain more than 100 million lines of code, especially systems that deal with the outside world such as Automotive Head Units (AHU) or Telemetric Boxes (T-BOX).  

Every access point and added feature in the design makes it more difficult to identify vulnerabilities and serves as a potential vector for bad actors. So, what can original equipment manufacturers (OEMs), suppliers, vendors, and others do to strengthen their security efforts to keep pace with innovation? 

In this blog, I will discuss emerging automotive security risks and break down four automotive security best practices to help you improve your cybersecurity programs. 

Five Automotive Security Risks 

Misconfiguration in Automotive Software 

Most ECUs run on some form of operating system. The device may run QNX, a modified version of Android, or another specialized Real Time Operating System. Some of the ECUs found in today’s complex automotive systems require the full processing power of an operating system. Gone are the days where all of the automotive systems in the vehicle run bare metal code on weak processors.  

However, with every added feature, parsed protocol, or secure bootloader configuration, there is a chance for some misconfiguration or coding error to bypass development teams. This condition is especially true with software that interacts with the user or the outside world.  

The software for any installable applications such as a USB, Bluetooth driver, or even the Digital Audio Broadcasting (DAB) data that shows song information on the radio can, and has, allowed for aspects of the vehicle’s systems to crash or become compromised. This is more important the closer the Controller Area Network (CAN) bus or other diagnostic protocol segment is to the telematics unit because that allows the attacker potential access to the system over a range of wireless media.  

Attack on Automotive Hardware 

The automotive hardware that makes up a vehicle not only consists of the ECUs but also the sensors and the Hardware Security Modules (HSM). All these devices, including those that are added to increase the security of the vehicle contribute to the attack surface area of the car. An attack surface includes any system that an attacker with physical/remote access to could attack, extract, meddle, or spoof to explore a vulnerable system in the automobile.   

One area that is often a concern is how the system handles sensitive information at rest. There are a few ways to stop an attacker from extracting the non-volatile memory from an AHU and dumping/modifying the file system if it has not been encrypted and signed. Furthermore, self-driving autonomous vehicles are only as safe as their sensors are reliable.  

If an attacker extracts information from an HSM, spoof a sensor, glitch a debug port, or compromise the integrity of any part of the system, they could take any action. In automotive security, this threat is even more imminent because the architectural secrets gained on one vehicle could lead to the attacks of many (i.e., an entire fleet). Extracted firmware keys, Joint Test Action Group passwords, and network access to other cars are only some of the attacks that could be managed. 

Unauthorized Access in Debugging Ports 

Debugging ports are serial ports that are active during the development of a piece of hardware and software and then terminated when the system goes to production. This is not the case in automotive.  The data must be retrievable in case there is a failure in the device so that the root cause can be addressed.  

These interfaces should still be protected via a password key that restricts access to the device, unpopulated header locations, or software configuration. However, they won’t prevent attackers from attempting to access them. If attackers gain access to these interfaces, they could gain developer-level access to the device with the ability to implement their own malicious “features” into the ECU. 

Breach Points in the Network 

Automotive systems have several networks today. Where we used to have only the CAN Bus, which is still used today, we now use FlexRay, LIN, DoCAN, DoIP, and several others – each with their method of transmitting data and diagnostics.  

While these networks should be segmented, there are still breach points. We have developed some encryption methodologies to prevent an attacker from gaining access to a device that could breach other devices. This is accomplished by adding a layer of complication to the processing of the network traffic, especially when considering repaired or aftermarket parts and new key exchanges.  

Containers  

ECUs control the electronic functions of a car and now incorporate their own operating systems, but this is just the first step. More advanced ECUs have their own containers, which allows for a quicker development time and added layer of protection.  

Some of these containers are typically used for machine learning implementations to perform autonomous or assisted driving features that are prominent in many modern cars - a potential focus of attackers in recent years. Containers are normally thought of to be somewhat secure, but every year there are more reports of how these systems are misconfigured. They can be modified and, in some cases, used to perform privilege escalation. 

Four Automotive Security Best Practices 

Let’s dive into automotive security best practices and what you can do to improve the overall program security of your automotive. Here are four best practices for you to consider. 

Familiarize Yourself with the Automotive Threat Analysis and Risk Assessment Method (TARA)  

ISO standards, also known as the International Organization for Standardization, is a set of standards internationally agreed upon by experts. These processes range in types of activities and need to be addressed multiple times through the product lifecycle.  

TARA specifically recommends several threat modeling methods that can apply to automotives: EVITA, TVRA, OCTAVE, the HEAVENS security model, Attack trees, and SW to name a few. You can find more info in ISO 21434, but note that these are only recommendations – and the methodologies are adaptable. Other methodologies exist to check for automotive security, but no matter which method you use, make sure it provides good coverage and documentation of the areas where there are automotive security concerns. 

Review Code at Standard Intervals During Code Review to Reduce Errors 

Engineers don’t like to spend longer than necessary in a secure code review as most programmers produce code more than they enjoy reading it. However, reviewing code at standard intervals reduces the number of errors that show up in the production systems. Additionally, it may be beneficial to employ some form of automation to discover more hidden errors. 

Incorporate Fuzz Testing in the Quality Assurance Process 

Fuzz testing is a strategy for discovering bugs that other software testing methodologies can’t. Due to the speed and sophistication of input mutators, this brute-force method of bug hunting can be effective at finding flaws in network protocols, file handlers, and similar data. While it takes time to create fuzzing software to suit the needs of the system, if done right, that investment will save more time in the long run. 

Check Your Cellular Connections 

There are a few areas where traditional networks and automotive systems intercept. Where these intercepts exist, ensure at every possible configuration that the system is fuzzed. One often overlooked area is the use of a cellular test station to connect to the automotive T-BOX. This is important because, under normal circumstances, telecoms tend to act as makeshift firewalls for mobile devices. But you can’t always depend on them, especially when attackers can create their own cellular test systems.  

The Importance of Automotive Penetrating Testing  

It takes skills to design and implement the features in our vehicles today. Engineers have a certain method of thinking about problems and rarely think maliciously about the devices they are working on.  

They may know areas where effort has been lacking or bypasses that may not be covered in detail in the architecture diagram. When it comes to knowing the best way of combining these issues into a chained attack, engineers and quality assessment personnel fall short. It is one thing to know where a flaw is, but another to understand how to apply the correct pressure to the flaw and determine the true strength or vulnerability of the vehicle. 

In addition, the technologies and techniques used in attacking systems change faster than the technologies they attack. Keeping up to date with the newest attack methodologies requires a person’s full-time attention.  

That is why I find it is typically better to have a group of experts already dedicated to keeping abreast of the newest methodology and who developed their own tools to evaluate your unique automotive security requirements. You can invest in your own penetration testing teams or seek out penetration testing services, like NetSPI’s automotive pentesting

Automotive environments are complex cyber-physical systems, but there are many opportunities to improve your security maturity. This blog and the automotive cybersecurity best practices shared within are just scratching the surface of this unique threat landscape. If you’d like to continue the conversation with me and dig deeper, don’t hesitate to reach out at www.netspi.com/contact-us.

[post_title] => A Strategic Approach to Automotive Security [post_excerpt] => Explore common automotive security risks and learn automotive security best practices to ensure the security of your vehicles. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => strategic-approach-to-automotive-security [to_ping] => [pinged] => [post_modified] => 2022-06-17 09:59:07 [post_modified_gmt] => 2022-06-17 14:59:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27953 [menu_order] => 24 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 27519 [post_author] => 53 [post_date] => 2022-03-18 13:29:11 [post_date_gmt] => 2022-03-18 18:29:11 [post_content] =>

ATM security concerns are not solely physical. In other words, it doesn’t require an excavator or backhoe to gain unauthorized access to the ATM ecosystem. ATM security is a cyber concern – and this risk grows as ATM innovation accelerates.

In this 30-minute webinar, NetSPI’s Principal Consultant Larry “Patch” Trowell will discuss:

  • The ATM security risks that banks, financial institutions, and the ATM industry face today 
  • Recent ATM security breaches, common attack vectors, and security vulnerabilities – from peripherals/communication attacks to backend network attacks 
  • Actionable ATM best practices to ensure your customers, their cash, and their data remain protected
[post_title] => How Secure are ATM Machines? An ATM Penetration Testing Expert Explains [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => atm-security [to_ping] => [pinged] => [post_modified] => 2022-04-19 13:50:33 [post_modified_gmt] => 2022-04-19 18:50:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27519 [menu_order] => 7 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 27452 [post_author] => 105 [post_date] => 2022-03-01 15:14:00 [post_date_gmt] => 2022-03-01 21:14:00 [post_content] =>

On March 1, 2022, Larry Trowell was featured in a ChannelPro Network article titled, IAM for IoT. Preview the article below, or read the full article online here.

+ + +

IDENTITY AND ACCESS MANAGEMENT is hard enough when it’s mostly users you have to worry about. When large volumes of vulnerable IoT devices are involved as well, the challenges only get greater.

"IAM is already a complex subject, and the addition of IoT devices makes the entire process much more complex," says Larry Trowell, principal consultant at NetSPI, a penetration testing-as-a-service security company in Minneapolis.

In IT, IAM “is used to streamline user digital identities, and to enhance the security of user-facing front-end operations," says Dimitrios Pavlakis, a senior analyst at ABI Research. Policies for passwords, email, accounts, and more can be automated, like onboarding, to meet security requirements and compliance rules. These advantages apply to IoT devices as well as users, but there are numerous hurdles.

For instance, domain controllers used by many companies often have trouble supporting IoT devices with limited client intelligence, according to Trowell. Even cloud solutions prepared for IoT devices "may not be able to operate with the level of access businesses feel they should," he notes. Multiple IoT devices may need to maintain identities and roles between various accounts, leading to security gaps within this complex environment.

[post_title] => ChannelPro Network: IAM for IoT [post_excerpt] => On March 1, 2022, Larry Trowell was featured in a ChannelPro Network article titled, IAM for IoT. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => channelpronetwork-iam-iot [to_ping] => [pinged] => [post_modified] => 2022-03-07 11:14:47 [post_modified_gmt] => 2022-03-07 17:14:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27452 [menu_order] => 72 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 26933 [post_author] => 105 [post_date] => 2021-12-10 07:35:00 [post_date_gmt] => 2021-12-10 13:35:00 [post_content] =>

On December 10, 2021, NetSPI Principal Security Consultant Larry Trowell was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.

+++

With the holiday season in full swing, cybercriminals know consumers are relying heavily on online shopping to fulfill their Christmas gifting lists, and organizations are at an increased risk of threats.  Here's some helpful advice from several cybersecurity experts.

NetSPI, Larry Trowell, Principal Consultant

"As we enter the holiday season, security professionals must be aware of the threats that come with holiday gifts, specifically smart IoT devices. These connected gadgets open up a new host of security risks for both employees' personal lives and corporate networks. 

Over the last two years alone, more people have set up multiple devices that connect to a single home network, including corporate-issued computers and tablets. With so many devices already in play, employees need to understand that some of the most popular technology gifts, such as robot vacuums, Tile, and Alexa come equipped with Bluetooth and Wi-Fi, cameras and geo mapping. These capabilities create a complex system that is more prone to attacks because it has greater potential for flaws and vulnerabilities within an increased attack surface - especially when integrated with other home automation products. 

In tandem with this increased tech adoption, the pandemic and rise in remote work brought all corporate devices into employees' homes and opened up Pandora's box for potential vulnerabilities -- home office networks are said to be 3.5 times more likely to be attacked than corporate networks. To better understand, assess, and manage how employees are accessing company networks during the holidays, companies should educate their workforce about potential risks to their home network that come with tech gifts, and set up regular tests of their corporate systems as computers leave the office. Having a security testing program set in place -- prior to the holidays -- can help to identify any vulnerabilities within the corporate network quickly and efficiently and allow employees to better understand all the risks at play this time of year."

Immersive Labs, Kevin Breen, Director of Cyber Threat Research

"Cyberattackers like to take advantage of human behaviors and the holiday season is no exception. The increase in online and in-store shopping makes for an easy in, whether via phishing emails that mirror holiday marketing campaigns or fraud through the digital domain. 

Toys and gifts are also becoming more high-tech and connected to WiFi or Bluetooth. Sadly, manufacturers don't always consider the security risks when building these connected devices, since they're hyperfocused on the user experience, which can present some exposure to users.    

The human element also makes the holidays a particularly vulnerable time. There's a societal pressure to exchange gifts, make memories, finish the year strong and make ends meet-creating a slew of open opportunities for cyber threats and disruption. We've seen some of the most impactful ransomware attacks happen during holiday periods, for example,  where there's minimal security staffing and an increase in external commitments. Cyberattacks don't stop during the holidays, in fact, they're often amplified, so it's critical that organizations remain vigilant and prepared."

Gigamon, Joe Slowik, Senior Manager of Threat Intelligence

"Supply chains are especially vulnerable to cyber attacks this holiday season. Supply chain attacks raise the prospect of stealthy, nearly impossible to detect intrusions by subverting fundamental trusts between network operators and their suppliers, contractors, and related parties...

...While concrete proof or direct evidence for any of these alleged incidents is circumstantial at best and typically nonexistent, the nature of the problem makes proving (or disproving) such events difficult or impossible. Once fundamental system trust is questioned, discussion quickly shifts such that one must prove that a device is not compromised which is a near impossible task.

One mechanism for adversaries, defenders and networker owners to retain significant ‘first mover' advantage in that they own, manage, and (ideally) can design the landscape on which intruders must operate - emerges through implementing "zero trust" security architecture. One of the core mechanisms to achieve and maintain zero trust principles is rigorous network segmentation through physical and virtual mechanisms. System owners can reduce direct connectivity between devices and establish authentication or rigorous trust boundaries between segments. Adversary lateral movement then becomes significantly more difficult even if the initial breach takes place via a supply chain mechanism circumventing other controls. Thorough segmentation becomes especially valuable when paired with monitoring and visibility. System owners and network defenders gain insight into internal network traffic flows between discrete zones as opposed to just internal-external communications. Combined with a robust approach to C2 traffic monitoring described in the previous section, defenders gain layered visibility into adversary operations throughout multiple phases of operations."

Datto, Ryan Weeks, Chief Information Security Officer

"The holiday season presents a "perfect storm" of opportunity for threat actors. Timing is the sweet spot for most attackers; the longer it takes for someone to notice there has been an intrusion, the more damage they can do. With an abundance of shopping deals, marketing emails and greater online traffic, the holidays are a perfect time for employees to fall for phishing tactics that enable hackers to propagate throughout a network - long before a company even realizes it. 

In fact, phishing emails top the list of successful attack vectors at 54%. Further, a lack of education, weak passwords and poor user practices are among the top causes for ransomware attacks. In the weeks leading up to the holidays, companies should ensure their employees are properly educated and trained on how to spot phishing tactics and thwart intrusions that could quickly spread to infect an entire organization during the holidays."

Veriff, Janer Gorohhov, Co-founder and Chief Product Officer

"The accelerated digital transformation of companies around the world has led to an increase in fraud rates globally, and retail is no exception. To combat this increase in fraud and maintain trust and safety online this holiday season, more organizations must leverage artificial intelligence tools to identify and stop bad actors in their tracks, saving online retailers money and protecting both their employees and customers."

[post_title] => VMBlog.com: Expert Commentary: Cybersecurity Threats During the Holidays [post_excerpt] => On December 10, 2021, NetSPI Principal Security Consultant Larry Trowell was featured in an article written by David Marshall for VMBlog.com. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-expert-commentary-cybersecurity-threats-during-the-holidays [to_ping] => [pinged] => [post_modified] => 2021-12-13 12:14:39 [post_modified_gmt] => 2021-12-13 18:14:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26933 [menu_order] => 106 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 26721 [post_author] => 105 [post_date] => 2021-11-23 07:00:00 [post_date_gmt] => 2021-11-23 13:00:00 [post_content] =>

While the best part of the holidays is spending time with family and friends, giving or receiving a new smart device can often be the icing on the cake for people of all ages. A recent Consumer Technology Association study noted that technology sales are expected to hit $142.5 billion this holiday season – a record high from the last few years.  

However, with the pandemic creating a distributed workforce where employees log onto corporate networks at home, these fun holiday gifts may be the next big network security risk – for both employees’ personal lives and corporate networks.  

Companies need to better prepare for security vulnerabilities associated with the holiday season, while more broadly achieving a better understanding of how personal and corporate networks are blending in the modern work environment. To prepare, employees need to be educated on the risks smart devices bring to their home networks and IT/security leaders need to bolster their systems to ensure they remain secure while employees work from home.  

Understand the IoT security risks for remote workers 

Network risks are evolving. Over the last two years alone, more people have set up multiple devices that connect to a single home network, including corporate-issued computers and tablets. With so many devices already in play, and more to come as gifts this holiday season, the attack surface has grown exponentially.  

The problem with connected tech holiday gifts 

Some of the most popular technology gifts come equipped with Bluetooth and Wi-Fi, cameras, and geo-mapping. A popular gift, Tile-like tracking devices meant to help consumers find everyday items that are easily lost, has created conversation and speculation within the security industry over the years. But the threat has heightened, as an Apple integration now allows these types of devices – including Apple’s own AirTag – to be added and tracked on its “Find Me” feature. If compromised, an outside party could begin tracking the user’s location without their permission and monitor living patterns to exploit the information and lure them into a phishing attack or other breach. 

Additionally, through a partnership with Amazon, Tile can now integrate with Alexa and other Amazon devices to detect if a Tile is nearby. With this feature, malicious actors could find any Tile in the area, hack into its GPS functionality, track its location, and notify the Tile network of its name, location, etc. within a certain radius – opening home devices to potential exploitation. 

The same threats lie within additional ‘smart’ gifts. Robot vacuums, regardless of the brand, are connected to home networks and also connect to the internet – and integrate with other home automation products. This extension of connectivity creates a complex system that is more prone to attacks because it has greater potential for flaws and vulnerabilities. When you integrate a camera onto these devices, the risks only grow. Threat actors could easily monitor users’ movements to understand daily patterns and even craft a blueprint of their home. 

How to solve for these vulnerabilities at home 

With so many new gadgets and technology gifts on the market, many main players in this space are not doing their diligence to ensure the proper security precautions are in place – especially since it's an unregulated industry and manufacturing companies often prioritize development over security to meet increasing demands. As you install more IoT devices and get new gadgets for the holidays, consider putting these devices on a guest network. This will separate your at-home devices from your corporate computer and technology, limiting the potential attack surface that malicious actors can exploit. 

If an attack does arise, using a guest network makes it easier to track and pinpoint the exact location of the breach, while limiting the potential threat to your corporate or home network. It’s also a best practice to pick one home automation kit and standardize it across all the technology in your house so all items will seamlessly integrate into that one system.  

Understand and prevent corporate network vulnerabilities  

The transition to remote work, spurred by the pandemic, brought all corporate devices into employees' homes and opened up a can of worms for potential vulnerabilities – home office networks are said to be 3.5 times more likely to be attacked than corporate networks. Further, there is currently a misconception about which systems and software can securely switch between corporate and at home networks, meaning employees have potentially opened their corporate networks to security risks dating back to when they initially took their office gear home in Spring 2020. Knowing this, how can IT and security teams prepare for the holiday gift season, where even more tech will be added to the mix? 

Audit your security tools early on 

To better understand, assess, and manage how employees are accessing company networks during the holidays and to work from home, companies should set up regular tests of their systems. Having a security testing program set in place – prior to the holidays – can help to identify any vulnerabilities within the corporate network quickly and efficiently. It can also open IT and security teams' eyes to which devices are vulnerable when used at home on personal networks. It’s important for companies to understand where vulnerabilities lie and make sure their systems and devices are secure year-round, but even more so during the holidays when the majority of staff is working remotely or taking time off.  

NetSPI is the leader in network penetration testing – work with our experts!

Educate! 

Often, security breaches are caused by a general lack of awareness within employee bases. Corporations should develop mandatory training programs that bring potential vulnerabilities to light, and teach their workforce how to monitor, prevent and report potential dangers. Training programs should include a specific lesson on the dangers of smart devices and working on home networks – consider timing this specific training in late-November, early-December, before the holiday season kicks off.  

The holidays should be a time where all employees can recharge and spend time with family, without worrying about work. The onus is on enterprises to prepare their workforce for potential IT threats, while also taking proactive measures to prevent potential vulnerabilities in their network. Smart tech gifts aren’t going away, but with proper protocols in place, IT teams, company leadership, and the broader employee network can all enjoy time off without the risk of a breach.  

[post_title] => IoT: Great Holiday Gift or Network Security Nightmare? [post_excerpt] => Learn why IoT devices may be the next big security risk – for both employees’ personal lives and corporate networks. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => iot-holiday-gift-or-network-security-nightmare [to_ping] => [pinged] => [post_modified] => 2021-11-22 09:45:23 [post_modified_gmt] => 2021-11-22 15:45:23 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26721 [menu_order] => 115 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 26042 [post_author] => 105 [post_date] => 2021-07-27 07:00:10 [post_date_gmt] => 2021-07-27 12:00:10 [post_content] =>

According to estimates from the ATM industry association (ATMIA), there are more than three million automated teller machines (ATMs) across the globe today, making it the most common method for consumers to interact physically with their bank. Since its inception in 1967, criminals have discovered many ways to hack into ATMs – and technological advancements have only made their efforts more lucrative. 

Modern hackers aren’t solely after cash. Account numbers, pin numbers, debit card information, and points-of-entry to the internal network or firmware provider, can be accessed by exploiting known security vulnerabilities. 

One particular cybersecurity threat banks must pay closer attention to is direct memory access (DMA) attacks. DMA attacks target the areas of a computer that require direct memory access, such as the PCI bus or USB/Thunderbolt ports. DMA attacks enable an adversary with physical access to a device to read and overwrite memory, giving them full control over the operating system (OS) kernel and the ability to perform malicious activity. Unfortunately, many devices exist today that have not addressed the concerns that DMA vulnerabilities revealed years ago. 

In this blog post, I will explore common ATM security vulnerabilities and attack tactics and explain why DMA attacks require heightened awareness. Additionally, I will share best practices to implement to help strengthen your ATM cybersecurity efforts.

Common ATM security vulnerabilities

ATMs have a lengthy shelf life for an embedded device, often lasting 10 years before needing to be replaced. The ATMs are typically composed of a Windows Desktop PC provided by the ATM manufacturers (e.g. Diebold, NCR, Hyosung). The bank is then responsible for hardening the OS and ensuring updates and patches are applied to the system as needed.

Further, many ATMs that exist today still run on older more vulnerable versions of Windows. These systems can become very expensive to maintain and can take significant resources to properly protect. Keeping these systems secure becomes more difficult as they get older and require a lot of work to keep up with the latest attacks. When keeping these systems properly hardened, it’s easy to miss some potentially unrelated security measures – until it’s too late. 

It’s not always an outdated OS itself that the attackers target. While there are zero-day vulnerabilities that exist, we often see the security risks within the bank’s custom ATM user interface and applications, a lack complete of system hardening, vulnerabilities in custom security protections from the vendor/manufacturer, or unencrypted communications over the USB. Here is a sampling of the top five common ATM attacks: 

  1. Sensor Tampering/Forking Attacks: Tampering with the sensors to take out money from the ATM without it debiting the accounts. Example: Australia forking attack, 2014
  2. Black Box: Connecting an external device (“black box”) to the ATM’s cash dispenser, then using native commands to cause the machine to release currency, bypassing the need for a card or transaction authorization. Example: Diebold code theft, 2020
  3. Peripherals/Communication: Most of the important devices inside of a typical ATM are peripherals that communicate over USB and serial busses. There are some systems that have not properly implemented encryption over these media. This leads to attackers spying on the USB, replaying attacks, man in the middle attacks, or fuzzing the interfaces altering software.   These attacks aren’t always limited to the bus lines, the peripherals and the systems that support them are also vulnerable to communication attacks. Example: NFC Replay attacks, HITBGSEC 2018 D2
  4. Malware/Jackpotting: An attacker finds some flaw in the system that allows them to install their own custom software to the ATM: via an insecure firmware update, a leaked/outdated certificate, or a flaw in the encryption. These attacks do not have to be against the ATM itself, some forms of ATM malware can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers. The malware would then be passed to every ATM in the chain, compromising many machines in one strike. Examples of ATM malware families: Ploutus, Anunak/Carbanak, Cutlet Maker, SUCEFUL
  5. Direct Memory Access (DMA): DMA allows devices to directly communicate with the system’s memory by bypassing the OS and manipulating firmware. If exploited, adversaries can gain direct access to information and privileges. They often require physical access but can also be deployed remotely. Example: DMA attack, PCILeech USB3380

The risk of DMA vulnerabilities

Despite the security precautions hardware and software vendors have implemented, DMA attacks remain a reality for many enterprise devices today. DMA attacks began making waves mostly as theoretical attacks until video game hackers caught wind. In the video game space, DMA attacks allow players to bypass protections without triggering the anti-cheat software placed by game manufacturers – but the threat reaches much farther than one industry. 

Any system where an attacker has physical access to the machine is vulnerable. And these attackers’ techniques have gotten much more covert over the years. DMA attacks have been gaining traction in the red team space and banks are shocked at how easy it is to bypass their ATM security using a single technique. Currently, not many banks are testing for DMA vulnerabilities today possibly due to the lack of awareness around this particular attack vector.

As mentioned earlier, DMA attacks may grant adversaries full control over the all the device’s memory, including the kernel as well as the entire OS. The problem with this access is that the memory is not, at least by default, segmented. This access is granted at the hardware level, and thus it can replace any area of memory it has access to... regardless of the privilege that memory is protected by. 

DMA attacks have also evolved. One avenue of accessing the systems that have DMA access are PCIe cards. These cards are similar to the cards used for adding graphic cards to a PC but modified to communicate with outside controllers to give attackers access to the computer’s memory. These custom cards now are Wi-Fi enabled. This allows for attackers insert their attack hardware and leave. The attacker can then wait until a system is up and running, then at their leisure, draw secrets from the systems ram (encryption keys, pins, credit card numbers, etc.) or modify a running authenticated system to run shellcode dynamically placed into memory outside the purview of the most thorough antivirus or malware protection. 

Remediating this issue is no easy task. ATMs employ a number of security precautions: hard drive encryption, firewalls, process monitoring software, etc. to ensure the system has not been modified. Unfortunately, DMA attacks can easily bypass these protections. 

The best way to prevent ATM security attacks, like DMA attacks, is to strengthen your foundational cybersecurity efforts and gain a better understanding of your preparedness and the impact an attack on your devices would have. To help, here are six ATM security best practices to follow, beyond physically disabling the PCIe bus with epoxy.

6 ATM security best practices

  1. Disable hardware that isn’t supposed be in the system by default. Anything that is USB that is not used, disable. This includes thunderbolt adapters, storage devices, and USB ethernet adapters. Anything that increases the attack surface and isn’t needed should be removed.
  2. Ensure encryption is set up properly and confirm all links in the chain of encryption are followed. Make sure the encryption keys are kept safe. And, that communications between peripherals are encrypted as well.
  3. If the version of Windows used allows memory segmentation, enable it. For DMA vulnerabilities, if using windows 10, turn kernel DMA protection on.
  4. Ensure the Operating Systems are properly hardened.
  5. Limit the types of USB devices the ATM accepts and limit the value of the vendor ID (VID) and product ID (PID). For example, there is no reason for an external graphics card or an audio adapter to be accepted in the USB.
  6. Perform a penetration test of your ATM applications to gain a better understanding of the impact an ATM security incident or breach would have on your systems – and learn if your existing security controls are working as they’re supposed to

The importance of ATM penetration testing services

Penetration testing services can tell you where your security is and, more importantly, where it is lacking. Pentesting can verify whether the ATM peripherals that handle sensitive data are properly encrypted or that encryption keys cannot be extracted from the firmware or the card reader. Is the encryption used to protect the hard drive strong enough or configured correctly? Is there any method that attackers can use to gain access to the keys – if so, what can they do once they have the keys? 

Sometimes, it is not possible to prevent every attack. In these cases, you need to know what will happen once there is a breach and how well you are protected once a weakness is found. Then, make it as difficult as possible for an attacker to maneuver inside a system. Using outside pentesting teams is a great way to keep appraised of the latest attack methods and view your system from the perspective of an adversary.

Engage with NetSPI to determine how DMA vulnerabilities affect your devices.
[post_title] => The State of ATM Security: DMA Vulnerabilities are Lurking [post_excerpt] => Explore common ATM security vulnerabilities, including DMA attacks, and learn best practices for strengthening your ATM cybersecurity efforts. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => state-of-atm-security-dma-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2021-07-26 14:47:18 [post_modified_gmt] => 2021-07-26 19:47:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26042 [menu_order] => 153 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 6 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 27953 [post_author] => 105 [post_date] => 2022-06-21 08:00:00 [post_date_gmt] => 2022-06-21 13:00:00 [post_content] =>

In recent years, we have witnessed many technological advancements in the automotive industry. From advanced driver assistance systems to connected mobile apps and digital keys, this technology brings convenience to our lives, but with it a new set of risks.  

In an industry where a single mistake can put lives on the line, it’s pertinent that we take a strategic approach to automotive cybersecurity to ensure the functional safety of each vehicle, and related systems and applications, before malicious actors can cause harm. 

Standards such as the ISO 26262-1:2018 and ISO/SAE 21434 were specifically designed to address functional safety and threats to automotive security. For example, the ISO/SAE 21434 features the Threat Assessment and Risk Analysis (TARA). TARA breaks down threats in a system so engineers can calculate the risk of any one component to the entire system and mitigate those threats in the design phase.  

Even so, the technological design of a standard car contains multiple electronic control units (ECUs), with some luxury models containing well over a hundred. Each of these systems could contain more than 100 million lines of code, especially systems that deal with the outside world such as Automotive Head Units (AHU) or Telemetric Boxes (T-BOX).  

Every access point and added feature in the design makes it more difficult to identify vulnerabilities and serves as a potential vector for bad actors. So, what can original equipment manufacturers (OEMs), suppliers, vendors, and others do to strengthen their security efforts to keep pace with innovation? 

In this blog, I will discuss emerging automotive security risks and break down four automotive security best practices to help you improve your cybersecurity programs. 

Five Automotive Security Risks 

Misconfiguration in Automotive Software 

Most ECUs run on some form of operating system. The device may run QNX, a modified version of Android, or another specialized Real Time Operating System. Some of the ECUs found in today’s complex automotive systems require the full processing power of an operating system. Gone are the days where all of the automotive systems in the vehicle run bare metal code on weak processors.  

However, with every added feature, parsed protocol, or secure bootloader configuration, there is a chance for some misconfiguration or coding error to bypass development teams. This condition is especially true with software that interacts with the user or the outside world.  

The software for any installable applications such as a USB, Bluetooth driver, or even the Digital Audio Broadcasting (DAB) data that shows song information on the radio can, and has, allowed for aspects of the vehicle’s systems to crash or become compromised. This is more important the closer the Controller Area Network (CAN) bus or other diagnostic protocol segment is to the telematics unit because that allows the attacker potential access to the system over a range of wireless media.  

Attack on Automotive Hardware 

The automotive hardware that makes up a vehicle not only consists of the ECUs but also the sensors and the Hardware Security Modules (HSM). All these devices, including those that are added to increase the security of the vehicle contribute to the attack surface area of the car. An attack surface includes any system that an attacker with physical/remote access to could attack, extract, meddle, or spoof to explore a vulnerable system in the automobile.   

One area that is often a concern is how the system handles sensitive information at rest. There are a few ways to stop an attacker from extracting the non-volatile memory from an AHU and dumping/modifying the file system if it has not been encrypted and signed. Furthermore, self-driving autonomous vehicles are only as safe as their sensors are reliable.  

If an attacker extracts information from an HSM, spoof a sensor, glitch a debug port, or compromise the integrity of any part of the system, they could take any action. In automotive security, this threat is even more imminent because the architectural secrets gained on one vehicle could lead to the attacks of many (i.e., an entire fleet). Extracted firmware keys, Joint Test Action Group passwords, and network access to other cars are only some of the attacks that could be managed. 

Unauthorized Access in Debugging Ports 

Debugging ports are serial ports that are active during the development of a piece of hardware and software and then terminated when the system goes to production. This is not the case in automotive.  The data must be retrievable in case there is a failure in the device so that the root cause can be addressed.  

These interfaces should still be protected via a password key that restricts access to the device, unpopulated header locations, or software configuration. However, they won’t prevent attackers from attempting to access them. If attackers gain access to these interfaces, they could gain developer-level access to the device with the ability to implement their own malicious “features” into the ECU. 

Breach Points in the Network 

Automotive systems have several networks today. Where we used to have only the CAN Bus, which is still used today, we now use FlexRay, LIN, DoCAN, DoIP, and several others – each with their method of transmitting data and diagnostics.  

While these networks should be segmented, there are still breach points. We have developed some encryption methodologies to prevent an attacker from gaining access to a device that could breach other devices. This is accomplished by adding a layer of complication to the processing of the network traffic, especially when considering repaired or aftermarket parts and new key exchanges.  

Containers  

ECUs control the electronic functions of a car and now incorporate their own operating systems, but this is just the first step. More advanced ECUs have their own containers, which allows for a quicker development time and added layer of protection.  

Some of these containers are typically used for machine learning implementations to perform autonomous or assisted driving features that are prominent in many modern cars - a potential focus of attackers in recent years. Containers are normally thought of to be somewhat secure, but every year there are more reports of how these systems are misconfigured. They can be modified and, in some cases, used to perform privilege escalation. 

Four Automotive Security Best Practices 

Let’s dive into automotive security best practices and what you can do to improve the overall program security of your automotive. Here are four best practices for you to consider. 

Familiarize Yourself with the Automotive Threat Analysis and Risk Assessment Method (TARA)  

ISO standards, also known as the International Organization for Standardization, is a set of standards internationally agreed upon by experts. These processes range in types of activities and need to be addressed multiple times through the product lifecycle.  

TARA specifically recommends several threat modeling methods that can apply to automotives: EVITA, TVRA, OCTAVE, the HEAVENS security model, Attack trees, and SW to name a few. You can find more info in ISO 21434, but note that these are only recommendations – and the methodologies are adaptable. Other methodologies exist to check for automotive security, but no matter which method you use, make sure it provides good coverage and documentation of the areas where there are automotive security concerns. 

Review Code at Standard Intervals During Code Review to Reduce Errors 

Engineers don’t like to spend longer than necessary in a secure code review as most programmers produce code more than they enjoy reading it. However, reviewing code at standard intervals reduces the number of errors that show up in the production systems. Additionally, it may be beneficial to employ some form of automation to discover more hidden errors. 

Incorporate Fuzz Testing in the Quality Assurance Process 

Fuzz testing is a strategy for discovering bugs that other software testing methodologies can’t. Due to the speed and sophistication of input mutators, this brute-force method of bug hunting can be effective at finding flaws in network protocols, file handlers, and similar data. While it takes time to create fuzzing software to suit the needs of the system, if done right, that investment will save more time in the long run. 

Check Your Cellular Connections 

There are a few areas where traditional networks and automotive systems intercept. Where these intercepts exist, ensure at every possible configuration that the system is fuzzed. One often overlooked area is the use of a cellular test station to connect to the automotive T-BOX. This is important because, under normal circumstances, telecoms tend to act as makeshift firewalls for mobile devices. But you can’t always depend on them, especially when attackers can create their own cellular test systems.  

The Importance of Automotive Penetrating Testing  

It takes skills to design and implement the features in our vehicles today. Engineers have a certain method of thinking about problems and rarely think maliciously about the devices they are working on.  

They may know areas where effort has been lacking or bypasses that may not be covered in detail in the architecture diagram. When it comes to knowing the best way of combining these issues into a chained attack, engineers and quality assessment personnel fall short. It is one thing to know where a flaw is, but another to understand how to apply the correct pressure to the flaw and determine the true strength or vulnerability of the vehicle. 

In addition, the technologies and techniques used in attacking systems change faster than the technologies they attack. Keeping up to date with the newest attack methodologies requires a person’s full-time attention.  

That is why I find it is typically better to have a group of experts already dedicated to keeping abreast of the newest methodology and who developed their own tools to evaluate your unique automotive security requirements. You can invest in your own penetration testing teams or seek out penetration testing services, like NetSPI’s automotive pentesting

Automotive environments are complex cyber-physical systems, but there are many opportunities to improve your security maturity. This blog and the automotive cybersecurity best practices shared within are just scratching the surface of this unique threat landscape. If you’d like to continue the conversation with me and dig deeper, don’t hesitate to reach out at www.netspi.com/contact-us.

[post_title] => A Strategic Approach to Automotive Security [post_excerpt] => Explore common automotive security risks and learn automotive security best practices to ensure the security of your vehicles. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => strategic-approach-to-automotive-security [to_ping] => [pinged] => [post_modified] => 2022-06-17 09:59:07 [post_modified_gmt] => 2022-06-17 14:59:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27953 [menu_order] => 24 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 6 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 1181738f6c052d684d783a0f43e8bd0e [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
ChannelPro Network: IAM for IoT
Larry "Patch" Trowell